Covid19 App questions answered here

[magentaflame]

What Digital Rights Watch has to say about it all .

Seems fairly balanced

https://digitalrightswatch.org.au/2020/ ... Bho6IReqSc

last updated on April 26th after the Government launched the app

To expedite Covid-19 contact tracing in Australia, the Commonwealth Government has announced a new smartphone application will be in Google and Apple stores within a fortnight.

This explainer on the privacy impacts of the app has been collated based on information that we’ve learned as it has slowly been released.

The app uses Bluetooth Low Energy to detect other phones running the app nearby. When the app detects another phone within 1.5 metres, it records the unique identifier of that phone and the duration of time it was within proximity, and then encrypts it. This data is retained on the phones for 21 days, the duration of contagiousness. If an app user tests positive, stored data for phones that recorded 15 minutes or more of contact—the duration of contact likely to put someone at risk of infection—are uploaded to the government server, and decrypted. A health department official then contacts those potentially infected users.

Any initiative undertaken by the government using digital technologies and personal information must be transparent, temporary and proportionate in order to generate the social licence to function as needed. This app does not meet those standards. There are issues with the efficacy of the app itself, and several reasons why Australians may not adopt it in sufficient numbers to be effective. The government has put that number at 40%. Experts elsewhere suggest this is too low.

There is a litany of public failures that undermine the government’s credibility with tech projects. The census, robodebt, MyGov and more. People are rightly concerned about data loss or misuse regardless of whether it is by accident or design.

There is no strong international case the government can cite. The app was not a big success in Singapore, only about 20% of people installed it. A 2019 survey reported 67% of Singaporeans trust their government. Only 42% of Australians felt the same way about theirs. Prime Minister Lee Hsien Loong said for almost half of the people infected there, “we do not know where or from whom the person caught the virus,” after the app deployment.

The use of BLE to exchange unique identifiers, properly encrypted on the device, is a good technical solution at first glance. However, privacy safeguards, particularly on Apple iOS, make it unreliable. Apple users of TraceTogether, the app used in Singapore the Australian one is based on, have reported that unless the app is active on screen and no other Bluetooth device is in use, it does not record connections. This will impact battery life and general usability of the phone, leading users to deactivate or uninstall it. The government previously said they will not be using the proposed Apple/Google system that addresses this, though Health Minister Greg Hunt suggested Apple were providing a fix for battery life issues in the coming weeks.

As with any data exchange involving governments, particularly around potentially identifiable personal information, there are numerous privacy concerns. The data app collects (in this case it requires a name, phone number, postcode and an age range on registering, and keeps only encrypted contact IDs on device) is not the biggest concern. What authorities will do with data they obtain is key.

Simple disclosures around what is recorded on the device, for how long, what data is sent to the Government server, who controls that server and who accesses it, what laws it is subject to, as well as when the app will shut down, when data collection will cease and when data will be destroyed aren’t sufficiently addressed in the Government’s privacy policy.

Information about the new app trickled in as the government responded to criticisms prior to launch. This led to the government declaring the app source code will be open for anyone to review, a stance they have since walked back. An assessment by the Cyber Security Cooperative Research Centre deemed it safe. The government has been at pains to say privacy will be respected, but has ignored best practice in ensuring so.

Neither the app nor the infrastructure at the government end has been independently fully assessed. The CSCRC was not given access to the entire system. This leaves uncertainty around what happens to the information once it reaches the government. Why isn’t the whole data custody chain auditable if the system is only for this one purpose?

A more rights-focussed decentralised app design could perform the same function while removing the need for a government ‘middle-man’ to handle any data at all. If a user tests positive for the virus, that information could trigger notifications to be sent to contacts from that user’s phone, informing them to seek a test and quarantine.

The centralised model the Government deployed requires users to register their basic information, and data exchanges are handled by a server in Australia provided by Amazon Web Services. AWS infrastructure is subject to US laws governing data, as well as their surveillance regime. This simply means that data from the app could be accessed by US law enforcement, regardless of protections here. Information exchange arrangements between American and Australian agencies could see that data eventually end up in hands of local law enforcement as well.

Prime Minister Scott Morrison said that any information collected would only be used by state and territory health agencies for covid19-related purposes. Attorney-General Christian Porter stated police will be barred from accessing metadata from the app. And Health Minister Greg Hunt announced a Determination under the Biosecurity Act to prohibit other access or use of the app or the data.

In other jurisdictions this may well be adequate, but recently passed legislation in Australia completely undermines these provisions.

The Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018, or TOLA, gives Australian law enforcement and intelligence agencies powers to compel anyone providing any service or product that involves telecommunications or the internet to remove electronic protections like encryption. They can also issue a directive to create or modify features. It is an offence for anyone receiving such an order to even reveal its existence, or to fail to comply with it.

The developers of the contact tracing app may have already received such a directive, and implemented a mechanism to give data to law enforcement or other agencies. They would risk imprisonment if they answered any questions about a directive, or alluded to its existence.

An app that records when and for how long people of interest come into contact is undeniably a compelling capability for security agencies to have access to.

Extending the capability of the app is not the only avenue authorities could exploit. The metadata retention scheme implemented by the Government in 2015 mandates the collection and retention of identifying information for 2 years. This data is already being accessed by many more agencies than the government assured it would be, unprotected by any warrant requirement. Cross-referencing contact tracing app data could easily create a de-anonymised picture of who met with who and for how long.

The Attorney-General and the Prime Minister may in future attempt to address privacy concerns by publicly stating that under no circumstances will the contact tracing app or any others like it be subject to TOLA, or cross-referenced with collected metadata, but even a commitment like this can’t be accepted uncritically.

A week after Scott Morrison stated no mobile phone location data was being used by the Government as it was in the UK to monitor trends in response to the virus, an arrangement between Vodafone and the Government to do exactly that was revealed. Arrangements with other telcos have not been confirmed but are almost certainly in place. This deception typifies the government’s approach to issues around privacy and surveillance in recent years.

Privacy and other rights concerns were ignored completely when mandatory data retention was introduced, and again when TOLA was introduced. One of the loudest warnings at that time came from industry professionals, who said that the passage of this bill meant any and every piece of software developed or deployed in Australia could no longer be trusted.

Contempt for our rights in the recent past by governments at every level has led to this environment of mistrust, and it could not have come at a worse time.

[Bryn Mawr]

Not just frightening, terrifying!

[magentaflame]

Our Prime minister is a total **** knuckle. At first it was "we'd like about 1 million people to put it on their phones." then "we need more people to put it on their phones". Now it's " if you want to go outside we need everyone to put it on their phones" We're being blackmailed.

Then we find out that iPhones needs the App to be the main focus on the phone which apparently runs the battery done quicker . (I don't know if this is true because I've never owned an Iphone.

[magentaflame]

I don't know if you guys get the "honest government ads"